CDW Services / Risk Advisory / Penetration Testing
Penetration Testing
Test Your Environment to Prevent Security Incidents
Penetration Testing Overview
Understand Your Risk of Cyberexposure
CDW’s penetration testing services help uncover security vulnerabilities in your environment, aid in understanding your company’s security posture and tests its readiness to withstand and respond to real-world cyberattacks.
Our highly trained team will thoroughly test target systems for known vulnerabilities, misconfigurations and mismanagement of devices in order to ensure that we achieve your testing objectives. We are experienced in executing advanced exploitation attacks using both automated and manual tools. Our testers put emphasis on manual review, using techniques suited to the context of the target environment.
Using industry-recognized and proven methodologies CDW will provide detailed reporting, including a remediation plan to assist in ensuring your organization’s information assets remain protected.
Services
What We Deliver
CDW will provide a report with a summary of the penetration testing activities conducted. The report will contain two sections; an executive summary and a technical report. The executive summary will outline high-level findings and the technical report will provide technical details about findings and outline recommendations.
The report includes:
An executive summary
of results
Testing methodologies, phases and tools utilized
Detailed vulnerability findings, recommended solutions and effort required for remediation
Activity description of attack scenarios or exploitation
An optional presentation of the critical vulnerabilities and findings
Vulnerability Assessment VS. Penetration Testing
The methodology and techniques used by CDW’s team will be similar for both types of assessments; however, their objectives are what differentiates them. Vulnerability Assessments are intended to identify potential vulnerabilities in your environment to understand your current security posture, without simulating real threat actor attacks. Penetration tests are intended to proactively uncover the most significant vulnerabilities and identify the extent of damage a malicious threat actor could cause in your organization.
Learn More
Types of Penetration Testing
Uncover Security Vulnerabilities in Your Environment
During these assessments, CDW’s penetration testers play the role of real-world attackers by targeting your critical information assets. While some vendors rely primarily on automated vulnerability scanning, CDW’s expert team also incorporates their comprehensive understanding of business networks and systems during their manual testing to provide a more holistic testing approach.
CDW’s infrastructure penetration testing services consist of:
- External Network Penetration Testing
Description: Public-facing IT systems and network
- Internal Network Penetration Testing
Description: Internal IT systems and networks, including advanced Active Directory attacks (optional)
- Cloud Network Penetration Testing
Description: Cloud-hosted and hybrid cloud environments
- Wireless Network Penetration Testing
Description: Networks via wireless access points
- Security Compliance Validation Testing
Description: Add-ons to existing tests to support compliance requirements for various programs, such as PCI DSS - Operational Technology (OT) Penetration Testing
Description: Test segregation and attempt to breach various OT environments, including SCADA and IoT
Safeguard Your Web Applications
Application penetration testing from CDW can identify and help you understand your risk of exposure in your applications. Our assessments leverage dynamic application security testing (DAST) and/or static application security testing (SAST) methodologies to uncover security vulnerabilities in your applications. These assessments will help you to better understand your security posture and test your readiness to withstand and respond to real-world cyberattacks.
The manual-based approach by our knowledgeable professionals can help protect your sensitive information and assets by:
- Working with our team to develop a custom scope that takes into account the security needs and requirements of your organization
- Identifying critical application weaknesses through an in-depth, manual-based testing methodology
- Demonstrate how vulnerabilities would be exploited by actual threat actors to compromise asset and user security
- Provide recommendations regarding remediation strategies and timelines, allowing your organization to focus on the most critical risks first
CDW’s application penetration testing services consist of:
- Web applications
- Application Programming Interface (API) endpoints
- Mobile applications – iOS and Android
- Thick client applications
- Secure source code review
Simulate real-world threat scenarios to assess your organization’s cybersecurity resiliency
CDW’s penetration testing team will simulate the techniques and tradecraft of real-world cyber attackers that relate directly to the client's environment and assessment concerns. CDW’s adversarial simulation includes:
Scenario-Based Test:
- A time-boxed assessment emulating a real-world threat actor
- Highlights both risks and impacts associated with a specific breach scenario, typically involving internal client networks
- Includes testing security controls and resiliency using a mutually agreed-upon scenario(s)
Purple Team Assessment:
- An overt assessment that integrates friendly (“blue team”) exercises with an adversarial (“red team”) approach
- One CDW team focuses on the simulated attack, while another provides the client’s SOC with a comprehensive view of the unfolding incident
- This dual perspective provides valuable insights into an organization’s threat landscape, security controls, as well as the ability to detect and respond to threat actors
- Maps adversarial activities to MITRE ATT&CK techniques to evaluate coverage
Red Team Assessment:
- A covert assessment to test user security awareness, incident response procedures and technical controls of the organization’s security program
- Simulating a real-world threat actor, this assessment identifies previously overlooked or unknown avenues of attack that may be exploited to gain access to systems, networks or applications
- May include attempts to penetrate the external network perimeter, establish a foothold in the internal environment and accomplish specific attack objectives that are mutually pre-defined with your organization
- Maps adversarial attack path to MITRE ATT&CK techniques
Assessing the Human Element
Performing a social engineering assessment will help understand how effective security awareness training and procedures are in preventing threat actors from getting valuable corporate information directly from your employees.
CDW’s social engineering services consist of:
- E-mail based phishing – persuade users to click links, submit credentials or execute a malicious payload
- Phone-based attacks (“Vishing and SMShing”) – persuade users to divulge information or perform an action that could be leveraged to gain access to an organization
- On-Site Physical Social Engineering – assesses the effectiveness of physical security controls, employee awareness and training
- Open-Source Intelligence (OSINT) Gathering – identify what information is publicly available which can be leveraged to conduct a targeted attack against the organization
A great option if your company is new to penetration testing
CDW’s targeted attack penetration test focuses on evaluating and exploiting common attack paths found in your environment. Our security team will work to explore your potential risk exposure and provide recommendations on how to remediate the findings identified during the test. Evaluating your organization’s defences against common tactics will enable you to meaningfully improve your organization’s security posture, and help you prepare for future security events.
Targeted Attack Penetration Test Overview (PDF)
Our Security Process
Prepare. Defend. Respond.
Prepare
We help our clients create and align strategies and programs to address ever-evolving business risks. This includes creating a relevant and achievable security roadmap.
Defend
We work collaboratively with clients to decide which technologies to implement to protect against cyberthreats.
Respond
We monitor critical business assets, respond rapidly to incidents and validate the effectiveness of security controls 24/7/365, so you don’t have to.